GHSA-w5hr-jm4j-9jvq

Source

https://github.com/advisories/GHSA-w5hr-jm4j-9jvq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-w5hr-jm4j-9jvq/GHSA-w5hr-jm4j-9jvq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w5hr-jm4j-9jvq

Aliases

CVE-2021-26119

Published

2021-03-02T02:57:23Z

Modified

2024-12-03T06:08:49.026212Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Sandbox escape through template_object in smarty

Details

Sandbox protection could be bypassed through access to an internal Smarty object that should have been blocked. Sites that rely on Smarty Security features should upgrade as soon as possible. Please upgrade to 3.1.39 or higher.

Database specific

{
    "nvd_published_at": "2021-02-22T02:15:00Z",
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-02T02:55:01Z"
}

References

Affected packages

Packagist / smarty/smarty

Package

Name: smarty/smarty
Purl: pkg:composer/smarty/smarty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.39

Affected versions

v2.*

v2.6.24

v2.6.25

v2.6.26

v2.6.27

v2.6.28

v2.6.29

v2.6.30

v2.6.31

v2.6.33

v3.*

v3.1.11

v3.1.12

v3.1.13

v3.1.14

v3.1.15

v3.1.16

v3.1.17

v3.1.18

v3.1.19

v3.1.20

v3.1.21

v3.1.23

v3.1.24

v3.1.25

v3.1.26

v3.1.27

v3.1.28

v3.1.29

v3.1.30

v3.1.31

v3.1.32

v3.1.33

v3.1.34

v3.1.35

v3.1.36

v3.1.37

v3.1.37.1

v3.1.38